From:http://www.wired.com/threatlevel/2010/01/google-hack-attack/
A hack attack that targeted Google in December also hit 33 other companies, including financial institutions and defense contractors, and was aimed at stealing source code from the companies, say security researchers at iDefense.
The hackers used a zero-day vulnerability in Adobe Reader to deliver malware to many of the companies and were in some cases successful at siphoning the source code they sought, according to a statement distributed Tuesday by iDefense, a division of VeriSign. The attack was similar to one that targeted other companies last July, the company said.
A spokeswoman for iDefense wouldn’t name any of the other companies that were targeted in the recent attack, except Adobe.
Adobe acknowledged Tuesday in a blog post that it discovered Jan. 2 that it had been the target of a “sophisticated, coordinated attack against corporate network systems managed by Adobe and other companies.”
The company didn’t say whether it was a victim of the same attack that struck Google. But Adobe’s announcement came just minutes after Google revealed that it had been the target of a “highly sophisticated” hack attack originating in China in December.
Neither Google nor Adobe provided details about how the hacks occurred. Google said only that the hackers were able to steal unspecified intellectual property from it, and that they had focused their attack on obtaining access to the Gmail accounts of human rights activists who were involved in China rights issues.
But according to iDefense, whose customers include some of the 33 companies that were hacked, the attacks were well targeted and “unusually sophisticated” and aimed at grabbing source code from several hi-tech companies based in Silicon Valley as well as financial institutions and defense contractors.
The hackers gained access to the company networks by sending targeted e-mails to employees, some of which contained a malicious PDF attachment. The malicious code exploited a zero-day vulnerability in Adobe’s Reader application.
Zero day vulnerabilities are security flaws in software for which there is currently no patch. Adobe announced in mid-December that a new zero-day vulnerability in its Reader and Acrobat programs was being actively targeted by attackers. The company made the announcement after security researchers not affiliated with Adobe discovered attacks being conducted against the vulnerability. Adobe patched the critical vulnerability only on Tuesday this week.
In the recent attack on some of the companies, once a recipient clicked on the malicious PDF attachment, a backdoor Trojan program called Trojan.Hydraq was installed on their machine in the form of a Windows DLL, according to iDefense.
IDefense says that when Google discovered malware on its systems in December, it found that the code was communicating with a server set up to receive information stolen from the targeted companies.
“It was configured in such a way that it was able to receive a massive amount of data being exfiltrated to it,” says an iDefense spokeswoman who asked not to be named.
Google was able to determine, by examining the server, that the hackers had struck numerous other companies, she said. Google said in its Tuesday announcement that 20 other companies had been hacked. But iDefense found evidence that at least 33 were targeted.
The recent attacks bear a strong resemblance to another attack that occurred in July 2009, which targeted about 100 IT companies, iDefense says. In that earlier attack, the hackers also sent targeted e-mail to companies with a malicious PDF attachment, but it’s unclear how successful that attack was.
According to Ryan Olson, an analyst for iDefense, the attacks in July and December targeted different vulnerabilities. The one in July affected Adobe’s Reader, Acrobat and Flash applications, which it patched Jul. 30. The vulnerability the hackers are believed to have used in December also affected Reader and Acrobat.
iDefense obtained samples of the malicious codes used in the July attack and the more recent one and found that although the malware was different in the two attacks, the programs both communicated with similar command-and-control servers. The servers each used the HomeLinux DynamicDNS to change their IP address, and both currently point to IP addresses belonging to a subset of addresses owned by Linode, a U.S.-based company that offers Virtual Private Server hosting.
“The IP addresses in question are … six IP addresses apart from each other,” iDefense said in its statement. “Considering this proximity, it is possible that the two attacks are one and the same, and that the organizations targeted in the [recent] Silicon Valley attacks have been compromised since July.”
Olson told Threat Level that the attackers are “incredibly good” at finding new exploits and infecting the right people but that nothing he’d seen in the malware indicated they were above average in writing malicious code.
“The sophistication here is all about the fact they were able to target the right people using a previously unknown vulnerability,” he says.
The iDefense spokeswoman told Threat Level that her company waited a week to disclose details about the attack until after Google went public with the news that it had been hacked. She said it’s her understanding that Google’s source code was targeted in the hack attack.
Google declined to publicly discuss the details of iDefense’s report.
Adobe’s announcement didn’t discuss specifically whether hackers had stolen its source code but said that it had “no evidence to indicate that any sensitive information — including customer, financial, employee or any other sensitive data — has been compromised” in the attack.
This post was updated with information from Olson about the malware used in the attack. It also was updated to clarify that the Hydraq trojan and PDF exploit were used to breach some of the companies, but not all of them.
Read More http://www.wired.com/threatlevel/2010/01/google-hack-attack/#ixzz0cYRw8VOb
Flash Player文件祖国60周年了,可喜可贺,但是对于我们一些小站长来说,现在没喜没乐,只有郁闷。
收到IDC商通知,服务器必须要安装华盾软件,作为信息监控。
无可口非,安装信息监控功能,根据规定,每台服务器都必须有的,服务器日志保留六十天等等安全信息规范化手段。
但指定安装华盾,相信很多广东茂名,湛江,阳江服务器的站长们都很郁闷。
以下是测试华盾那东西与现市面的成熟产品比较的信息:
(如有错误,欢迎指正,补充)
1,信息监控方面,以本人而言,一直使用一流信息监控系统,相对于监控信息功能,一流信息监控,比华盾优秀很多。
如:
图片监控功能
一流信息监控:可以整理出每天,所上传,修改过的图片,全列入一个列表,以便监控人员查看。
华盾信息监控:无此功能,试问下,如果全是色情图片,无文字信息,那华盾用来做什么?摆设吗?
2,关键字监控设置:
当然,这个哪种信息监控都差不多,如“一次性交易”、“港口交易”、“24口交换机”都差不多,都会拦下来。让客户骂的时候,就忍忍吧。
(补充:有朋友建议,“24口交换机”改为“24嘴交换机”)
3,ICP网站备案查询
如:
工信部网站备案查询,读取服务器IIS,APACHE列表,批量查询网站是否备案。
(1)据测试,华盾错误率,在32%左右。(二级域名时不检测顶级域名,直接说没备)
(2) 7I24的批量查询软件.net的版本,在2003下测试300个域名批量查询,全部正确。
(2009-09再测7i24批量查询,出错率15%左右)
(3) 清竹IIS备案检测工具,错误率在5%
(工信部的是二三级域名无需备案)
4,检测数据包,检测优化等功能
如:
可给服务器站长,服务器管理员等,查看数据包,等等。
我想问的是:有多少站长看得懂呢?华盾技术员,过来我发给你看看,你告诉我?
5,性能管理:
(1)流量查看功能:
相信很多人都使用过,相对于华盾这个功能,LINUX下,Cacti比华盾更为完善。WIN下的。睿微IIS站点流量监控比华盾更小重好,为何还要使用你华盾收费的?
(2)CPU信息查看,相对于一个服务器管理员来说,进服务器,一个任务管理器就OK的东西,为什么要用华盾,还要登陆会员等等???相对个人站长,还是比较实用!!
(3) 进程池,相对一个管理员,连这个都还需要利用你华盾软件来做?那这个技术员要来何用??
5,网站安全:
防注入功能,这个不可否认,是个好功能,
如果相对于个人站长而言,实用。但是有多少个人站长,可以看得懂这个所谓的SQL语句等。如果相对于服务器管理员,自己的责任就是配合好程序员,写好程序,而不是时时都要事后修补。
网站防盗链功能,尚未测试,不予评论。(但网上防盗链,比比皆是,全免费的)
文件限制功能,尚未测试,不予评论。(网上文件限制的软件,一大堆,如果需要,我可以用易语言,随便都可以写一个出来,可以设置哪些盘符哪些目录监控什么的。)
6,主机维护:
磁盘查看功能:这个不用说了吧,地球人都知道,怎么用ASP,PHP等等,读出磁盘大小。
重启IIS:也不用说了,懒得说。
重启服务器:这个也一样是热启动服务器,如果需要重启,直接上服务器就可以了。例如,有一些随机启动软件,都是要加载桌面才能完成的,如果用华盾这个重启,还不一样要进服务器一次?如果这功能的初衷是帮助管理员的,我觉得是越帮越忙。
启动项状态:多数个人站长都会装360卫士,而相对技术人员来讲查看REGEDIT就可以看到了,要它何用?更何况,只可查看,不能象360,修改注册表那样修改。如果是被人加载了黑客程序,也不是一样要直接进入服务器吗?
远程端口连接:这个功能,就是直接读取注册表的3389端口项数值,以管理员而言。一般服务器安全,都会做安全设置,禁网卡端口,这个功能放在这里,如果修改了端口,而服务器网卡却没开这端口。不一样是完了?而且很多管理员都禁止注册表那项修改,此功能虚设!!!!!
系统进程管理:还算是实用中的了个功能了!
系统端口管理:读取的是网卡TCP/IP筛选项,这个WEB功能实用!!
系统服务管理:方面管理员查看,(只查看,无停止启动等功能)针对个人站长而言,就算你列出来了,也未必有多少人看得懂..相对管理员而言,第一次配置服务器,该开该关,都做了,总不可能,一装完服务器,就装华盾,做安全吧?华盾,你不是一个安全软件,别TMD的吊高来卖!
网络连接状态:也就是一个netstat命令,无用功能!
7,网站管理
网站管理,管理IIS上网站列表,实行停止运行等状态设置。
相对个人站长:实用
相对公司企来ISP:多余,总不可能ISP取消自己所用的虚拟主机管理系统软件不用,而用华盾吧?别再把自己吊高成虚拟主机管理系统来卖!华盾你没那能力!!!
强制广告/通知:
相对个人站长:多余!
相对ISP:自助建站,个人主页等,比较实用!!!
总结:华盾,有不错的网页版面,但漂亮有鸟用?又不是婊子!
软件,功能实用,才是生存之道,就算怎么推,也会死在你自己的手上,如华盾现在的推广政策!
